New malware analysis blog on #DarkCloud, an infostealer written in VB6 + a config extractor and string decryption tool for IDA Pro! esentire.com/blog/eye-of-th…

New blog on #ChaosBot! A novel Rust-based backdoor that uses Discord for C2 and supports commands like shell (execute powershell commands), scr (screenshot), download (download files to victim device), and upload (exfiltrate files from victim device). esentire.com/blog/new-rust-…

Seeing new #NetSupport campaigns that use a new PowerShell-based loader that drops/executes NetSupport and deletes RunMRU registry values in order to hide evidence of #ClickFix execution! This one has a licensee named KAKAN, though is likely related to EVALUSION campaigns. C2:

Seeing #MyKings #Smominru botnet dropping #XMRig, uses HTTP user agent "Custom C++ HTTP Client/1.0" in requests. They drop a batch script (included below) to remove other threat actors' malware/scheduled tasks/WMI subscriptions, and block tcp 135 (RPC), 445 (SMB), and 139

New blog on #NetSupport RAT: a year's worth of incidents, identified 3 threat groups using it maliciously, and created an unpacking tool for PowerShell-based loader variants! esentire.com/blog/unpacking…

NetSupport RAT operators: *sees our blog and updates loader to use random filenames + renaming* Us: *updates unpacking tool same day* They really thought that would stop us 😂 Tool: github.com/eSentire/iocs/… Sample: virustotal.com/gui/file/1ecd7… C2: foundationasdasd[.]com

TRU's advisory on Windows Server Update Service vulnerability CVE-2025-59287 has been updated with technical details and IoCs from recent incidents. Read the Latest: esentire.com/security-advis…

.NET malware analysis tip: If you see "This breakpoint will not currently be hit" for a dynamically invoked method: Wait for the assembly to load (e.g., [System.Reflection.Assembly]::Load(byte[] assembly)). In dnSpy: - Go to View > Options and enable "Debug files loaded

Blog is out on reverse engineering #Amatera stealer! We discovered threat clusters using Amatera for data-theft and as a loader for #NetSupport RAT. Fun techniques, config extractors, hashes w/ samples in VT, and CyberChef recipes below 👇 esentire.com/blog/evalusion…

TRU is tracking active exploitation of #React2Shell and released an advisory with observables/indicators. Observed activity includes system reconnaissance and attempts to exfiltrate AWS credentials. esentire.com/security-advis…

We at eSentire Threat Intel are tracking AI subscription resale across underground markets - shared logins, carded upgrades, and free creds. Access to these accounts can expose workspace data, chat history and other corporate insights💀as well. More here: esentire.com/blog/hackers-a…

Interesting observation in a #React2Shell (CVE-2025-55182) exploitation: payload removes competing miners & their persistence 😂while Establishes its own via cron, systemd & SSH key. Exfiltrates AWS/GCP creds & included a comment "npx fix-react2shell-next".